Re: [Cfrg] Mishandling twist attacks

Alyssa Rowan <akr@akr.io> Fri, 28 November 2014 06:37 UTC

Return-Path: <akr@akr.io>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 072BA1A1A3E for <cfrg@ietfa.amsl.com>; Thu, 27 Nov 2014 22:37:05 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.902
X-Spam-Level:
X-Spam-Status: No, score=-1.902 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 0wPKd05zthy8 for <cfrg@ietfa.amsl.com>; Thu, 27 Nov 2014 22:37:03 -0800 (PST)
Received: from entima.net (entima.net [78.129.143.175]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id BE36D1A1A2E for <cfrg@irtf.org>; Thu, 27 Nov 2014 22:37:03 -0800 (PST)
Message-ID: <54781812.9000801@akr.io>
Date: Fri, 28 Nov 2014 06:37:06 +0000
From: Alyssa Rowan <akr@akr.io>
MIME-Version: 1.0
To: "cfrg@irtf.org" <cfrg@irtf.org>
References: <20141128014059.26622.qmail@cr.yp.to>
In-Reply-To: <20141128014059.26622.qmail@cr.yp.to>
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: 8bit
Archived-At: http://mailarchive.ietf.org/arch/msg/cfrg/Ntw5GARzpAh0vfTkiSiapsd-bJo
Subject: Re: [Cfrg] Mishandling twist attacks
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <http://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <http://www.irtf.org/mail-archive/web/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <http://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Fri, 28 Nov 2014 06:37:05 -0000

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

On 28/11/2014 01:40, D. J. Bernstein wrote:

> Given the fact that Microsoft's curve-generation procedure is
> clearly subject to change, let me suggest a possible way forward.
> Microsoft adds further security criteria to its generation
> procedure, such as requiring the twist cofactor to divide the curve
> cofactor. For 2^255-19 it ends up with Curve25519---what a
> surprise! Microsoft then switches to proposing the latest edition
> of its "most trustworthy curve", namely Curve25519. This wouldn't
> resolve everything---I'd have to ask Microsoft to stop saying "new"
> for curves that really aren't new, and presumably there would still
> be discussion of larger primes---but surely it would help.

+1. This seems like an excellent way forward!

If the rpgecc authors (Microsoft Research/agl, et al) adopt this
approach, then I think we could perhaps (finally) reach consensus
about the choice of the ≈WF128 curve!

We'd then be able to move on to discussion about the "jumbo" curve
(which then would also have this useful security criteria).

Thoughts?

- -- 
/akr
-----BEGIN PGP SIGNATURE-----

iQIcBAEBCgAGBQJUeBgSAAoJEOyEjtkWi2t6S3wQAI+6BpyPaWNb7yh537G7TgTe
s95c6aiPZZj4hlynbccCOgQDsuS2fyUO8VbZoA+6D9CWfsVzVLmPgGr8fE8vbZuj
+p0K+XTepYFzdX2WZqNQcq4KtOH4SeIPRBcFC/zx2VIAUcLX2b36FxJmxnvpPSar
Yl9Dno8S0T9+X+K2iOF+ZC0bKOwowuFf1idEY+9DnH+BIIvyiSNkn2meGSxm56Qf
WqMxnB/JhHfcZo4QT3bMZH8OHsBlVPPu+ohSO0+rt0li4esKM0kX3iQWze28DgrZ
GEBMVrXPk90RzahO1myI37mse1voFCTgHsk8+jYJmPSFVp+2KlkLd0Lw57cf3bQ0
B3/CoFNPhasoUsQSe65CPnbA5OVrWnNfp4OI5zBDxeTEiXMhd8u/2czV6Cro1tKF
owZj2IIWwQ4wC4rm4c+CHXTr4xlY5v+H9pw6Q5OWxvQ2bRkLVbp7M2JY/DOnJhmo
dSXwfFlx8kpF8KPjz3jlH+Y5KrKsjtY3Ul3k0G1T5ksje7vF4wJyh13rbO13gBKq
5OQoM7R2Qdk3z4GycsE9wT1/3VsnF9Vbrmr7iltq2mdxEcXPvWqniGKOmZKAYUj2
TCKpsVJ1lvmsbgZYUNu3784OKG6GPiQKqagwjdXI7gDI9P5GEITnpsiL5VHa808I
sngg6C2/5njrIOOWav9Z
=Dnwm
-----END PGP SIGNATURE-----